Scan On Read, Write or Webscan

[Diver]

Most AV's are set up to scan on file open (reading) and file close (writing). Some provide an option to select one or the other. One that I know of AVG free installs with the default of scan on file open only, but can be changed in the advanced options.

Several AV's have a web scanner that scans files as they are being downloaded, but before they are rendered by the browser. This results in redundant scanning as the file is immediately scanned again when the download is finished or the file written to the browser's cache.

Why not turn off scanning on file close (writing) when using an AV with a web scanner?

Some testing I did with Avira premium revealed that files will be scanned when I open a shared directory on my local network and also when I access optical media. Other than by browser downolad, these are the two main ways that files get onto any machine. If you are thinking about email, most AV's now scan email for nasty attachments. The Avira web scanner even scans archives by default. This is something most on access scanners do not do by default.

If I copied an archive from my local network or optical media to my hard drive and then created a file by unpacking the archive and the contents were infected, it would not be detected until an attempt was made to execute the file. At that time it would be detected, assuming it was in the AV signature database.

There are other ways to create files like FTP programs and P2P, but ultimately everything gets scanned before it is executed by scan on file open. This is obviously the logic used by AVG in their choice of default setting. Even running a mouse over the file or opening its folder will often be enough to get it scanned. If you don't scan it right away that is all the better because the AV's signatures would be a more recent version.

I suppose this gets back to the old chestnut of does one need to scan on both open and close. Its just that web scanning now takes out the largest percentage of files created by most folks and it seems to tilt the balance.

Why bother? If your computer is fast the difference is probably not noticeable, although it might give a contemporary notebook computer a few extra minutes of battery life during heavy browsing.

Any thoughts?

[Kees1958]

Diver,

Experts are not sure about this. What I understand is that the sooner (before execution) malware s scanned, the more chance an AV has to pinpoint it. Scanning webmail through POP3 and scripts before it executes on a webpage, provides the AV engine more time.

Another benefit could be, is that by knowing the source the scan can be more specific and efficient, so maybe in the architecture of the AV-engine the flow of events is optimised.

Example:
a) webscanner - focus on malicious scripts
b) mailscanner - focus on marcro virusses within office documents and embedded code within media files
c) filescanner - focus on file infectors, Windows virusses etc
d) on execution - focus on packed code, DOS virusses etc

My 2 cents would be: the software architects of the AV-vendeor will figure out the optimum, so use it correspondingly

Regards Kees

[ola nordmann]

Quote:

Originally Posted by Kees1958

Experts are not sure about this. What I understand is that the sooner (before execution) malware s scanned, the more chance an AV has to pinpoint it. Scanning webmail through POP3 and scripts before it executes on a webpage, provides the AV engine more time.

I'm not sure what you mean by giving the AV engine more time?

Either the AV finds something or it doesn't - it's that simple. There is no concept of how much time is available. A realtime file-monitor is implemented as a filesystem driver and blocks read/execute until scanning is finished. In other words: it doesn't start the execution while scanning or something like that

My personal opinion is that some AV products have way too many scanners for this and that. It's driven by marketing purposes rather than technical reasons, and of course the competition is also to blaim. If company A implements a webmail scanner (for scanning attachements from Gmail, Hotmail etc.), then company B may feel the need to implement the same, not because it gives any additional protection (after all either a file-monitor or web-scanner will be more than enough), but because they are afraid their product will seem incomplete if they lack "features" that competitors have

[Kees1958]

Quote:

Originally Posted by ola nordmann

I'm not sure what you mean by giving the AV engine more time?

A realtime file-monitor is implemented as a filesystem driver and blocks read/execute until scanning is finished. In other words: it doesn't start the execution while scanning or something like that

A webscanner is often implemented as an executable which parses the suspicious web content to the file system driver (or via the server executable first). When this would not be the case this webcontent would be executed before having interaction to the disk. This is what I meant by time gained (in the flow of events).

Quote:

Originally Posted by ola nordmann

My personal opinion is that some AV products have way too many scanners for this and that. It's driven by marketing purposes rather than technical reasons, and of course the competition is also to blaim.

What A bummer, I like to think it optimises the software architecture and therefore the efficiency, but I am not an AV specialist. I agree that marketing wise it is good to offer a solution for problems stated in press communications (like Google serves 7541 malicious sites or 90% of the infections are delivered through mail). How do you know for sure that there is no technical reason for it? From a non-expert point of view it seems logical that web content entering the system through the network stack should be handled differently than infected files coming from external data sources.

Regards Kees